On Sept. 27, 2013, California’s governor signed AB370 into law, amending the California Online Privacy Protection Act of 2003 (“CalOPPA”). Effective Jan. 1, 2014, the law now requires website and mobile application operators to disclose how they respond to “Do Not Track” (“DNT”) signals. See 2013 Cal. Legis. Serv. Ch. 390 (A.B. 370) (West). While it is a California law, the requirement applies to website and mobile application operators everywhere who collect information from California residents.
Why “Do Not Track”?
DNT is a response to the tracking of consumers’ online behavior across websites. Many websites and mobile applications track such consumer data, use it to construct a profile of a consumer’s interests, and then sell that information to third-party advertisers or use it to customize their own advertisements. The data collection is typically done by collecting information from a browser’s “cookies” file, which automatically keeps a record of websites visited by the user. Since it is not obvious that this is happening, such behavior-tracking usually goes unnoticed by the consumer. Enter DNT.
What is “Do Not Track”?
DNT, in a word, is code. All major internet browser providers have now implemented simple DNT systems. These systems allow users to choose to broadcast a DNT signal with an HTTP header to websites indicating that they do not wish to have their online activity tracked. A user can normally access their browser’s DNT option in the browser’s preferences. See, e.g., Use Tracking Protection in Internet Explorer. For more information about “Do Not Track,” including the larger social and policymaking context, visit donottrack.us.
What Does the California Law Require?
The California law requires a website operator simply to disclose how it “responds to Web browser ‘do not track’ signals” if the operator collects user personally identifiable information (“PII”) across other websites besides its own. See Cal. Bus. & Prof. Code § 22575(a)(5). An operator can meet this requirement in one of two ways:
While either method will satisfy the law, the California Attorney General recommends the first option as a best practice.